IBM i servers and workloads can produce large amounts of log data daily, but as it’s written in different formats, to different journals, queues and system logs, it’s difficult to access and make usable for reporting. Join us for a webinar as introduce the Syncsort Ironstream for IBM i: a new product that expands our machine data solutions for Splunk to the IBM i. Learn how Ironstream can help your organization gain insight into operations, security and service delivery for the ultimate success of your business.
View this webinar on-demand to learn:
• How to leverage Splunk Enterprise to gain insight into IBM i log data
• Ways to gain better insight into security threats
• How to discover and act upon operational and performance issues that impact service delivery
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Ironstream for IBM i - Enabling Splunk Insight into Key Security and Operational Metrics
1. Ironstream for IBM i
Enabling Splunk Insight into Key
Security and Operational Metrics
June 19, 2018
Ed Wrazen and Rich Fronheiser
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will answer them during our Q&A session following the
presentation.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.
3. Ed Wrazen Director, Product Management
Ed is responsible for the product strategy & roadmap for Syncsort’s Ironstream &
Mainframe products and solutions. With a career in Enterprise IT spanning 35 years,
Ed has held roles in software development, database design and administration,
product management, consulting and marketing in global businesses and enterprise
technology companies. Ed has experience in Enterprise systems architectures,
performance management, database and data management technologies and is
a regular speaker at industry events worldwide.
Today’s Presenters
Rich Fronheiser, Product Marketing Director
Rich has been working in Capacity Management for over 20 years and is currently Director
of Product Marketing at Syncsort, focusing on Data Infrastructure Optimization products.
Rich joined the Syncsort team as part of its acquisition of Metron. His work began at Metron
in 2003 as the first US-based Principal Consultant, which saw him in a variety of presales
and post-sales consulting and education roles supporting the sales organization.
In 2011, he turned his attention to product and corporate marketing and became the
Chief Marketing Officer of Metron in April 2013 and served in that role through the
acquisition by Syncsort.
4. We build on
your legacy…
because it works!
Your traditional systems
– including mainframes, IBM i
servers adapt and deliver
increasing value with each new
technology wave
91%of executives predict long-term
viability of the mainframe as the
platform continues evolving to
meet digital business demands
>100kcompanies today use IBM i
technology to run significant
workloads & power critical
business applications
BMC 12th Annual Mainframe Research Results – Nov. 2017 Syncsort 2018 State of Resilience: The New IT Landscape for Executives:
Threats, Opportunities and Best Practices.” Jan. 2018
that’s 2,500,000,000 -- business
transactions per mainframe per day
2000+ organizations overall
2.5 B
5. ACCORDING TO IBM, OVER 150,000 COMPANIES IN MORE
THAN 115 COUNTRIES RUN THEIR BUSINESS ON IBM i *
IBM i Market Statistics
70%
SMB
(< 1000 employees)
* Source: https://www-03.ibm.com/systems/power/software/i/smartpaper/
30% Large
(> 1000 employees)
A top priority for all growing companies is to keep
the business up and running.
Companies who deliver information and services
to their customers on the Web are even more
sensitive to the requirement for available services.
6. IT operation analytics and security remain big drivers for mainframe organizations
Market Landscape and Key Concepts:
Please rank your organization’s top objectives that impact your mainframe
environment over the next 12 months, with 1 being of high
priority/concern and 6 being of least concern/priority
(select all that apply)
7. Splunk: Industry-Leading Platform For Machine Data
Machine Data: Any Location, Type, Volume
Online
Services
Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Apps
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-Premises
Private
Cloud
Public
Cloud
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Question
Developer
Platform
Report &
analyze
Custom
dashboards
Monitor
& alert
Ad hoc
search
Mainframe
& IBM i
!
8. Market
Landscape and
Key Concepts:
Log Analysis
What is a Log?
• Logs are emitted by network
devices, operating systems,
applications and all manner of
intelligent or programmable
devices.
• A stream of messages in time-
sequence often comprise a log.
• Logs may be directed to files and
stored on disk, or directed as a
network stream to a log collector.
• IBM i refers to logs as journals
Organizations analyze
these logs to proactively
and reactively mitigate
different risks.
Typical reasons to perform
log analysis are:
• Compliance with security policies
• Compliance with audit or regulation
• System Troubleshooting
• Monitor operations & availability
9. Monitoring of security for
regulatory compliance
More efficient fulfillment of
mandatory security and
compliance audits
Major Insurance Company:
Compliance audit; personal
health information (PHI)
Use Cases In Production - Security and Compliance
Financial Services Government Agency Major Insurance Company
10. Use Cases In Production – IT Operations
Monitoring
web-application availability
and reducing mean-time-to-
resolution of web-based
customer application issues
Reducing mean-time-to-
resolution of system
problems
Monitoring of Service Level
Agreements (SLAs) for
execution of all batch JOB
workloads
Major Insurance
Company
Major Financial
Services Company
Financial
Services
11. Use Cases In Production – SLED and Government
IRS Pub 1075 compliance
combined with need to
recover erroneous and
fraudulent unemployment
benefits payments
Visibility into their RACF
environment for monitoring
logon and logoff activity on
their mainframe
applications in real time
Audit preparation and
ongoing information
security across large,
growing enterprise
State Agency Government Agency
12. Key Use Cases for Enterprise Log Data
IT Operations Analytics/ITOA
• Bigger picture of what's happening in the environment
• Make better decisions to take control of the IT infrastructure
• Problem Detection & Isolation
• Ensure SLAs met
Security and Compliance/SIEM
• Detect and prevent security threats
• Ensure compliance
• Ensure audits pass
13. Big Iron to Big
Data Analytics
Challenges
So many data sources
Mainframe:
Systems Management Facility (SMF),
Syslog, Log4j web and application logs,
RMF, RACF, USS files and standard
datasets
IBM i:
QAUDJRN, QHST, Message Queues,
Operational Logs
Format of data
Mainframe:
• Complex data structures (SMF) with
headers, product sections, data
sections, variable length and self-
describing
• EBCDIC not recognized outside of
the mainframe world
• Binary flags and fields
IBM i:
• Complex data structures with
unique journal entry types, headers,
product sections, data sections,
variable length and self-describing
• IBM i journals in DB2
• Collection Services
• IBM i information needs to be
converted to workable formats such
as Syslog, CEF, JSON, etc.
Volume of data
Millions of records generated daily
Difficulty to get the
information in a timely
manner
• Not real-time, typically have to wait
overnight for an offload
• Typical daily FTP upload/downloads
can’t get granular
14. • High performance, low-cost, platform for collecting critical
system information in real-time
• Normalization of the z/OS and IBM i data so it can be used off
platform analytics engines
• Full analytics, visualization, and customization with no limitations
on what can be viewed
• Ability to easily combine information from different data sources
and systems
• Address the SME challenge: use by network managers, security
analysts, application analysts, enterprise architects without
requiring mainframe/IBM i access or expertise
Market Landscape and Key
Concepts: What is needed?
15. Syncsort
Ironstream for
IBM z and IBM i
• Enabling organizations to get
machine data from System z and
IBM i to Splunk for log analytics.
• Extend What Splunk Does
Already, to the Other ~40%-80%
of IT Processing
• 360ᵒ Degree View: Make the
Splunk View of the Enterprise
Complete
• Same Splunk Dashboards, Bigger,
More Complete Data Sets; Free
Apps
Get a complete view of your
Enterprise IT
16. New Product - Ironstream® for IBM i
• Custom interface and user configuration
• Advanced filtering & query options
• Near real-time forwarding to Splunk
• Interval processing (HH:MM:SS)
• User-defined formatting of output
• Support for SIEM platforms including QRadar,
Arcsight, Logrhythm
• Fast & Easy to install
• Low footprint
17. DATA FORWARDER
& FORMATTERIRONSTREAM
Ironstream® for IBM i - Overview
Collection
Services
System Audit
Journal
Accounting
Journal
System
Examiner
SPLUNK or
OTHER SIEM
CONSOLE
IRONSTREAM for IBM i
TCP/IP, UDP, TLS
Query &
Configuration
Services(JSON, CEF, LEEF, User-definable)
Message
Queues
18. IBM i Security Data – Authorization Exceptions
Invalid Login
Attempts
Object Authority
Failures
19. IBM i Performance Data – Disk Activity
Disk Utilization
Metrics
Disk Read/Write
Activity
21. Comprehensive Security & Operational Metrics
Disk Information
• Reads/Writes
• Disk Capacity
• Disk Space Availability
• Disk Busy
• Disk Response Times
Job Information
• CPU used
• Socket sends/receives
• Stream file, directory and Symlink reads
• Stream file writes
• Seize/Wait time
• Communication Puts/Gets
CPU information Per Virtual CPU
• Time used
• Number of CPUs active
TCP communications
• Detailed stats at Datagram
• Fragmentation information
Physical Processor information per CPU
• Time used
• Owning Partition
Virtual Processor information per Virtual CPU
• Status, Time active, Time used.
• Configured/Uncapped available time
• Instruction count
Memory pool information per Pool
• Database faults
• Non-database faults
• Job transitions Size
• Disk I/O stats
• Pages aged and stolen
Job summary information
• CPU used
• Disk I/O detail
• Database/Non-database
• Page faults
• I/O Pending faults
Security Information
• User Profiles
• System Values
• Object attributes & authorities
• Authorization Lists, Job Descriptions
• Commands
• Active Jobs, Spool Files
• Changes to values, authorities, profiles, auth. lists
• Access attempts (authentication or object access)
• Sensitive object access
22. Summary: Value Today for Enterprises with an IBM i
Less Complexity
Collect IBM i data; correlate with
data from the mainframe and other
platforms; no IBM i expertise
required
Clearer Security Information
Identify unauthorized access, other
security risks; prepares and visualizes
key data for compliance audits
Healthier IT Operations
Real-time alerts identify problems in
all key environments View latency,
utilization, exceptions, etc.
Effective Problem-Resolution
Management
Real-time views to identify real or
potential failures earlier; view related
'surrounding' information to support
triage repair or prevention
Higher Operational Efficiency
Enhanced event correlation across
systems; Staff resolves problems faster;
“do more with less”
Eliminate Your Mainframe &
IBM i “Blind-Spot”
Splunk + Ironstream = Your 360ᵒ
Enterprise View
23. Questions
Ed Wrazen
DIRECTOR, PRODUCT MANAGEMENT
p +44 (0)118 940 7634
ed.wrazen@syncsort.com
Rich Fronheiser
DIRECTOR, PRODUCT MARKETING
p 845-535-6943
rich.fronheiser@syncsort.com